Method and system for enabling data usage accounting through a relay

ABSTRACT

A method and system for enabling data usage accounting is described herein. The method can be practiced on a computing device that has secure applications and unsecure applications installed thereon. Initially, a request for a data session that includes a final endpoint can be received through a secure application. The request for the data session can be intercepted and modified to cause the request to be re-directed back to the secure application. A connection with a relay server can be initiated instead of the final endpoint such that data usage accounting for the data session is to be conducted at a remote location.

CROSS-REFERENCE TO RELATED APPLICATIONS

This patent application is a divisional of U.S. patent application Ser.No. 14/669,120, filed on Mar. 26, 2015, which is a continuation of U.S.patent application Ser. No. 14/615,799, filed on Feb. 6, 2015, which isa continuation-in-part of U.S. patent application Ser. No. 14/608,662,filed on Jan. 29, 2015, which is a continuation-in-part of U.S. patentapplication Ser. No. 14/573,601, filed on Dec. 17, 2014, which is acontinuation of U.S. patent application Ser. No. 14/478,066, filed onSep. 5, 2014, now issued as U.S. Pat. No. 8,938,547 on Jan. 20, 2015,each of which is incorporated herein by reference in its entirety.

FIELD OF TECHNOLOGY

The present description relates to methods and systems for data usageaccounting and more particularly, to methods and systems for data usageaccounting in computing devices with secure enterprise applications andpersonal applications.

BACKGROUND

In an effort to increase productivity, many employers allow theirworkers to conduct business related to the employer on their personalmobile devices. In some cases, employers also provide some of theiremployees with company-issued mobile devices. In either arrangement, anemployer understands that a single device may include sensitive datarelated to that employer in addition to data that is personal to theemployee. Several advances have been made in an effort to protect anemployer's data in these circumstances. For example, OpenPeak Inc. ofBoca Raton, Florida has developed solutions that enable a mobile deviceto include both enterprise and personal data but that isolate theenterprise data from the personal data. As part of these solutions, anemployee may download secure applications that may be used to conducttransactions related to the enterprise.

Because the employee's device may include both personal and secureapplications, it may be desirable to bifurcate the process of data usageaccounting. In particular, the employer may wish to receive anaccounting of the data usage associated with the secure applicationsthat have been installed on the employee's device on behalf of theemployer. This accounting, however, needs to be separate from dataaccounting that may be attributable to unsecure applications that theemployee may have installed for personal use.

SUMMARY

A method for enabling data usage accounting through a relay is describedherein. The method can be practiced on a computing device that hassecure applications and unsecure applications installed thereon.Initially, a request for a data session that includes a final endpointcan be received through a secure application. The request for the datasession can be intercepted and modified to cause the request to beredirected back to the secure application. In addition, a connectionwith a relay component can be initiated instead of the final endpointsuch that data usage accounting for the data session is to be conductedat a remote location.

In one example, the final endpoint can be provided to the relay serverto enable the relay component to establish a connection with the finalendpoint. In another example, the connection with the relay componentthat is initiated can be transparent to the secure application, and theconnection with the relay component that is initiated may be based on aprotocol that is non-native to the secure application. This arrangementcan mean that some portion of the secure application, such as theoriginal code of the target application that comprises the secureapplication, may be abstracted away from the connection with the relaycomponent, while some other portion of the secure application, like asecure framework and/or other code that has been integrated with thetarget application to create the secure application, may enable theabstraction and may facilitate the connection with the relay component.As such, the original code of the target application does not have to berestructured, altered or re-written to account for the redirection ofthe request or for the (incompatible) protocol of the relay component.

In one embodiment, data from the secure application can be bufferedwhile the connection with the relay component or the final endpoint isbeing established. Initiating the connection with the relay componentmay include providing an internet protocol (IP) address of the computingdevice to the relay component. Further, the connection that is initiatedwith the relay component is configured to support the transport of bothunencrypted data and encrypted data for the secure application.

Another method of enabling segregated data usage accounting on acomputing device is described herein. At first, a secure applicationthat is installed on the device can be launched in which the device mayhave unsecure applications installed thereon in addition to the secureapplication. Through the secure application, content may be requestedfrom a final destination. In response, the content request may beredirected back to the secure application, and a connection with a relayserver can be initiated to enable retrieval of the requested contentfrom the final destination and to enable an accounting of data of theretrieved content. In one arrangement, the initiation of the connectionwith the relay server only occurs for the secure application and not forthe unsecure applications.

Additionally, the final destination and an IP address of the computingdevice may be provided to the relay server. Like the previous method,the connection of the relay server may be based on a protocol that isnon-native to the secure application and redirecting the content requestback to the secure application may include natively redirecting thecontent request back to the secure application. Natively redirecting mayrefer to the secure application relying on native calls when initiallygenerating the data session request. Also like the previous method,initiating the connection with the relay server may includetransparently initiating the relay connection with the relay server.

In one embodiment, the content request can be redirected back to thesecure application for a plurality of predetermined networking callsfrom the secure application. As an example, the connection with therelay server may be predefined and able to accommodate each of thepredetermined networking calls. As another example, initiating theconnection with the relay server may include authenticating thecomputing device with the relay server prior to permitting data exchangebetween the secure application and the relay server. In some cases, datafrom the secure application can be buffered while the connection withthe relay server is established.

In another arrangement, it can be determined whether the computingdevice is operating on a Wi-Fi communication network. In response to thedetermination, a setting can be activated that prevents the contentrequest from being redirected back to the secure application and theinitiation of the connection with the relay server.

A method of counting data associated with secure applications is alsodescribed herein. In the method, a request can be received to establisha relay connection with a requesting secure application installed on acomputing device that includes both secure applications and unsecureapplications. In response, the computing device can be authenticated. Ifthe device is authenticated, the relay connection with the requestingsecure application can be established, and a connection with a finaldestination specified by the requesting secure application can beinitiated. In addition, data associated with the final destinationconnection can be counted such that a data usage amount is determinedfor the requesting secure application. The counting of the data may onlybe performed for the secure applications.

Further, data associated with the final destination connection may bereturned to the secure application over the relay connection. As withthe previous methods, the relay connection may be based on a protocolthat is non-native to the requesting secure application. As anotherexample, receiving the request to establish the relay connection mayinclude receiving the final destination specified by the requestingsecure application and an IP address of the computing device.Establishing the relay connection with the requesting secure applicationmay include establishing the relay connection with the requesting secureapplication only if the computing device is operating on a predeterminedcellular network. This predetermined cellular network may be owned,operated or maintained by the same entity that performs the counting ofthe data associated with the final destination. A report that detailsthe data usage of the secure applications installed on the computingdevice may also be generated.

A computing device is also described herein. The computing device mayinclude a display that is configured to display both secure and unsecureapplications that are installed on the computing device and may alsoinclude a processing unit that is communicatively coupled to thedisplay. The processing unit can be configured to receive a data accessrequest through one of the secure applications in which the data accessrequest may include a final destination. The processing unit may also beconfigured to cause a redirection of the data access request back to thesecure application and to cause a connection with a relay server to beinitiated to enable an accounting of data associated with the dataaccess request. The relay server can be configured to establish aconnection with the final destination specified by the secureapplication. The processing unit can be further configured to cause theredirection of the data access request and the connection with the relayserver for the secure applications but not for the unsecureapplications.

In one arrangement, the computing device can include a Wi-Ficommunications stack that is communicatively coupled to the processingunit. The processing unit can be further configured to cause a settingto be activated to prevent the redirection of the data access requestand the connection with the relay server if the computing device isconnected to a Wi-Fi network through the Wi-Fi communications stack.This feature may be applicable to other networks. For example, thesetting may be activated if the computing device is camped on a roamingnetwork or a network in which data usage charges are not applicable ornot otherwise incurred for access or use.

The computing device may also include memory that is communicativelycoupled to the processing unit. In this case, the processing unit can befurther configured to cause data from the secure application to bebuffered in the memory while the connection with the relay server isestablished. As another example, similar to the methods described above,the connection with the relay server may be based on a protocol that isnon-native to the requesting secure application, and the processing unitis further configured to cause the connection with the relay server tobe initiated transparently with respect to the requesting secureapplication. In one embodiment, the connection with the relay server canbe configured to support unencrypted traffic between the secureapplication and the final destination. In another embodiment, theprocessing unit can be further configured to cause the connection withthe relay server to be initiated by causing a listening socket on aloopback interface to be generated and a back-end socket to begenerated.

Further features and advantage, as well as the structure and operationof various embodiments, are described in detail below with reference tothe accompanying drawings. It is noted that this description is notlimited to the specific embodiments presented herein. Such embodimentsare provided for illustrative purposes only. Additional embodiments willbe apparent to persons skilled in the relevant art(s) based on theteachings contained herein.

BRIEF DESCRIPTION OF THE DRAWINGS/FIGURES

The accompanying drawings, which are incorporated herein and form partof the specification, illustrate embodiments of the subject matterdescribed herein and, together with the description, further serve toexplain the principles of such subject matter and to enable a personskilled in the relevant art(s) to make and use the subject matter.

FIG. 1 illustrates an example of a block diagram of the systemarchitecture of a computing device that is configured to practice thesubject matter described herein.

FIG. 2 illustrates an example of a system that shows the computingdevice of FIG. 1 in communication with one or more remote servers.

FIG. 3 illustrates an example of a method for data usage accounting.

FIG. 4 illustrates an example of an interaction among a secureapplication, a remote server and a system service.

FIG. 5 illustrates another example of a method for enabling data usageaccounting.

FIG. 6 illustrates an example of an interaction between a secureapplication and a system server.

FIG. 7 illustrates an example of a system that shows the computingdevice of FIG. 1 in communication with one or more relay servers and oneor more remote servers.

FIG. 8 illustrates an example of a method for data usage accountingthrough a relay.

FIG. 9 illustrates an example of an interaction among a secureapplication, a relay server and a remote server.

The features and advantages of the embodiments herein will become moreapparent from the detailed description set forth below when taken inconjunction with the drawings, in which like reference charactersidentify corresponding elements throughout. In the drawings, likereference numbers generally indicate identical, functionally similar,and/or structurally similar elements.

DETAILED DESCRIPTION

The following detailed description refers to the accompanying drawingsthat illustrate exemplary embodiments; however, the scope of the presentclaims is not limited to these embodiments. Thus, embodiments beyondthose shown in the accompanying drawings, such as modified versions ofthe illustrated embodiments, may nevertheless be encompassed by thepresent claims.

References in the specification to “one embodiment,” “an embodiment,”“an example embodiment,” “one arrangement,” “an arrangement” or thelike, indicate that the embodiment or arrangement described may includea particular feature, structure, or characteristic, but every embodimentmay not necessarily include the particular feature, structure, orcharacteristic. Moreover, such phrases are not necessarily referring tothe same embodiment or arrangement. Furthermore, when a particularfeature, structure, or characteristic is described in connection with anembodiment or arrangement, it is submitted that it is within theknowledge of one skilled in the art to implement such feature,structure, or characteristic in connection with other embodiments orarrangements whether or not explicitly described. The word “among,” asit is used throughout this description, should not necessarily beinterpreted as requiring exchanges or interaction among three or moreapplications, irrespective of grammar rules. The word “a” is notnecessarily limited to a singular instance of something, as it may meanone or more.

Several definitions that apply throughout this document will now bepresented. The term “exemplary” as used herein is defined as an exampleor an instance of an object, apparatus, system, entity, composition,method, step or process. The term “communicatively coupled” is definedas a state in which two or more components are connected such thatcommunication signals are able to be exchanged (directly or indirectly)between the components on a unidirectional or bidirectional (ormulti-directional) manner, either wirelessly, through a wired connectionor a combination of both. A “computing device” is defined as a componentthat is configured to perform some process or function for a user andincludes both mobile and non-mobile devices. The term “computer readablestorage medium” is defined as one or more components that are configuredto store instructions that are to be executed by one or more processingunits.

An “application” is defined as a program or programs that perform one ormore particular tasks on a computing device. Examples of an applicationinclude programs that may present a user interface for interaction witha user or that may run in the background of an operating environmentthat may not present a user interface while in the background. The term“operating system” is defined as a collection of software componentsthat directs a computing device's operations, including controlling andscheduling the execution of other programs and managing storage,input/output and communication resources. A “processing unit” or“processor” is defined as one or more components that execute sets ofinstructions, and the components may be disparate parts or part of awhole unit and may not necessarily be located in the same physicallocation.

The terms “memory,” “memory element” or “repository” are defined as oneor more components that are configured to store data, either on atemporary or persistent basis. The term “shared memory” is memory, amemory element or a repository that is accessible (directly orindirectly) by two or more applications or other processes. An“interface” is defined as a component or a group of components thatenable(s) a device to communicate with one or more different devices,whether through hard-wired connections, wireless connections or acombination of both. An “input/output device” is defined as a devicethat is configured to at least receive input from a user or a machinethat is intended to cause some action or other effect on a componentwith which the input device is associated. A “display” is defined as anapparatus that presents information in visual form and may or may notreceive input through a touch screen.

The term “file system” is defined as an abstraction that is used toorganize, store and retrieve data. The term “secure application” isdefined as an application that has been modified or enhanced from itsoriginal form to restrict communications between the application andunauthorized programs, applications or devices and to restrict operationof the application based on policy or to alter, augment or add featuresassociated with the operation of the application (or any combinationthereof) or— in the case of the application not being modified—anapplication that is part of a secure workspace that is protected fromdata exchanges with applications that are part of a personal or anunsecure workspace. A “target application” is defined as an applicationthat has been selected for conversion into a secure application. An“unsecure application” is defined as an application that has notundergone the modification required to convert the application into asecure application and, as such, is unable to obtain data from a secureapplication in view of an obfuscation scheme employed by that secureapplication or is an application that is not part of a secure workspaceand is restricted from accessing data from the secure workspace. A “hubapplication” is defined as an application that receives input from oneor more secure applications and establishes connections with externalentities on behalf of the secure applications that provide such input. A“virtual machine” is defined as a platform-independent executionenvironment that emulates a physical machine.

The term “personal workspace” is defined as a workspace, profile orpartition that is configured to contain the personal content andunsecure applications or other unsecure programs associated with a userof a computing device on which the personal workspace sits. The term“secure workspace” is defined as a workspace, profile or partition thatis configured to contain secure content, secure applications and othersecure programs and requires some form of authentication to be accessed.

The term “content provider” is defined as a site that offers data forconsumption by a computing device. The term “system service” is definedas an application or a set of applications on a computing device thatoffer one or more features for access by an unsecure application or asecure application. A “secure connection” is defined as a connection inwhich at least some portion of the data that is exchanged over theconnection is encrypted or otherwise obfuscated from unauthorizedparties, entities or processes. To “consume data” means to receive datafrom a source, transmit data to a recipient or both. An “externalnetwork entity” means an entity—such as a component or a service—that ispart of a network that is external to or located remotely from acomputing device. An “external entity” is defined as an entity to whichan application wishes to establish a connection. A “final endpoint” or“final destination” is the external entity with which an application orprocess intends to establish a connection based on a data request. A“relay server” is a server that facilitates a connection between acomputing device and a remote or content server or some other finalendpoint or destination.

As explained earlier, solutions have been developed that enable a mobiledevice to include both personal and enterprise data. Accordingly, it maybe useful to segregate data usage accounting associated with theenterprise side from usage associated with the personal space. Thisprocess can enable an enterprise to determine how much data that isconsumed by the mobile device is the responsibility of the enterprise.

In view of this need, a method and system for enabling data usageaccounting is described herein. As an example, the method can bepracticed on a computing device that has secure applications andunsecure applications installed thereon. A request for a data sessionthat includes a final endpoint or destination can be received through asecure application. The request for the data session can be interceptedand modified to cause the request to be re-directed back to the secureapplication. In addition, a connection with a relay server can beinitiated instead of the final endpoint such that data usage accountingfor the data session is to be conducted at a remote location. Moreover,this technique can be limited to the secure applications on thecomputing device, meaning the unsecure applications are unaffected.Virtually any type of data can be tracked and counted under this scheme,including digitized voice signals and other forms of communication,including messaging.

Through this arrangement, data tracking can be conducted for secureapplications or other applications associated with an enterprise ororganization that are installed on a user's computing device based onthat user's relationship with that enterprise or organization. Thistracking can also be kept apart from any accounting performed for auser's personal usage, such as that associated with unsecureapplications on the device. Accordingly, an enterprise can accuratelydetermine its accountability for data usage by a computing device thatincludes both enterprise and personal data. This solution may beparticularly useful for counting the data of the sessions at a remotelocation.

Referring to FIG. 1, an example of a block diagram 10 of the systemarchitecture of a computing device 15 is shown. In this arrangement, thecomputing device 15 can include a hardware layer 20, a kernel layer 25and a libraries layer 30, which may include a plurality of nativelibraries. This architecture may also include a runtime environment 35,a system server 40, a secure framework 45 and an application layer 50.

In one arrangement, the hardware layer 20 may include any number andtype of hardware components, such as one or more displays 55, one ormore input/output (I/O) devices 60, one or more processing units 65 andany suitable type and number of memory devices 70 and interfaces 75.Examples of the I/O devices 60 include speakers, microphones, physicalkeypads, etc. In addition, the display 55 can serve as an I/O device 60in the form of a touch-screen display. The interlace 75 can beconfigured to support various types of communications, including wiredor wireless and through any suitable type of standards and protocols. Asan example, the interface 75 can include one or more cellularcommunication stacks and one or more Wi-Fi communication stacks toenable the computing device 15 to conduct bidirectional communicationswith one or more cellular networks and one or more Wi-Fi networks,respectively. In one arrangement, the hardware layer 20 may also includea calculation unit 77, which can be configured to calculate or determine(or at least assist in the determination or calculation of) data usagetotals associated with any type of session conducted on the computingdevice 15, including those originating from the application layer 50.The calculation unit 77 may be a separate component or may be part ofthe processing unit 65. In another arrangement, the calculation unit 77may be remotely located such that it is external to the computing device15. In such a case, information regarding the sessions may be sent to aremote location that supports the calculation unit 77, and the unit 77can perform its calculation functions once it receives the information.

In addition, the runtime environment 35 can support any suitable numberof virtual machines 80 and core libraries 85, although a virtual machinemay not be needed in other arrangements, such as where native code isemployed. The system server 40 can serve as an abstraction for theunderlying layers for the applications in the application layer 50 andcan provide numerous system services for the applications. As is knownin the art, a system framework, which may be part of an application'sprocess, can be employed to enable interaction with the system server 40or other components. In this example, the application layer 50 mayinclude any number of unsecure applications 90 and any number of secureapplications 95, one of which may be a core secure application 100. Thesecure framework 45 can function in a manner similar to that of aconventional framework, but the secure framework 45 can facilitate theencapsulation of a number of secure applications 95 to selectivelyrestrict their data exchanges with the unsecure applications 90. Inparticular, the secure framework 45 can be configured to intercept andmodify certain calls from the secure applications 95, prior to passingthem to the system server 40. In one arrangement, these calls may befrom the secure applications 95 or the system framework.

In many cases, the unsecure applications 90 are associated with thepersonal data of a user of the computing device 15. In contrast, thesecure applications 95 are typically associated with confidential orotherwise sensitive information that belongs to or is associated with anenterprise or some other organization, and the user of the device 15 maywork for such an entity. In one arrangement, a virtual partition orworkspace may be created on the computing device 15 in which the secureapplications 95 (and the core secure application 100) are part of asecure workspace 105, and the unsecure applications 90 are part of apersonal workspace 110. In certain cases, a user may be required toprovide authentication information, such as a password, PIN or biometricdata, to gain access to the secure workspace 105 or to any individual orgroup of secure applications 95.

In some cases, some of the unsecure applications 90 may be systemservices 115 that provide features or functionality that is associatedwith the type of operating system that is installed on the computingdevice 15. In some cases, the system service 115 may be an applicationor a set of applications that live in the background and supportdifferent tasks associated with the operating system of the device 15.System services 115 may facilitate the exposure of low-level functionsof the hardware layer 20 and the kernel layer 25 to the higher-levelapplication layer 50. Many system services 115 may operate with elevatedprivileges, in comparison to other applications. For example, a commonsystem service 115 that is typically found on computing devices 15 is amedia player, which processes and presents media data for a user.Another example of a system service 115 may be a photo viewer, whichpresents digital images for the user. As those skilled in the art willappreciate, the examples listed here are not meant to be limiting, andthere are other system services 115 that may be available on thecomputing device 15.

In another embodiment, the system services 115 may be trusted unsecureapplications 90 that secure applications 95 are permitted to share orotherwise exchange data with. An example of a trusted unsecureapplication 90 may be an unsecure application 90 that is by defaultinstalled on the computing device 15, such as by the manufacturer of thedevice 15 or a wireless carrier or other entity that provides servicesto the device 15. Another example of a trusted unsecure application 90may be an unsecure application 90 that is listed on an applicationwhitelist for one or more secure applications 95. By being part of theapplication whitelist, the trusted unsecure application 90 may bepreapproved for data exchange with the relevant secure application(s)95. Additional information on application whitelisting can be found inU.S. patent application Ser. No. 14/669,911, filed on Mar. 26, 2015,which is incorporated by reference herein in its entirety.

As noted above, the secure applications 95 and the system architecturemay be configured to enable at least some of the calls to the systemserver 40 to be intercepted. There are several processes available forsuch a process. For example, U.S. patent application Ser. No.14/811,158, which was filed on Jul. 28, 2015 and is herein incorporatedby reference in its entirety, describes a method and system in whichsome of the system classes are overridden by classes associated with thecore secure application 100, which can allow runtime hooks to be appliedagainst certain system calls. Based on this technique, some of the callsthat the secure applications 95 (or a system framework) make to thesystem services 115 can be intercepted and modified, a process that willdescribed below.

As another example, U.S. Patent Application Publication No.2015/0113506, which was filed on Mar. 12, 2014, and U.S. PatentApplication No. 2015/0113502, which was also filed on Mar. 12, 2014,each of which is herein incorporated by reference in its entirety,present methods and systems by which target applications areencapsulated as secure applications for distribution. Once installed andinitiated on a computing device 15, the encapsulated applicationdescribed in these references is loaded into memory, and runtime hooksare set to enable application programming interface (API) calls from thesecure application to be intercepted. Similar to the description above,at least some of the calls to the system services 115 from the secureapplications 95 (or a system framework) can be modified once they areintercepted. Other information on the process of intercepting certainfunctions of secure applications can be found in U.S. Pat. No.8,695,060, issued on Apr. 8, 2014, which is also herein incorporated byreference in its entirety.

As described in these incorporated references, a secure application 95can be configured to provide additional features that may not have beenotherwise available prior to it being converted into a secureapplication 95. As an example, a secure application 95 can be arrangedto track the amount of data that it uses (or a particular session. Thisprocess enables an administrator to determine data usage on aper-application basis. Of course, secure applications 95 may be managedin accordance with many other policies or configurations, as is known inthe art.

While many applications (or target applications) are able to beconverted into secure applications 95, there are some applications thatmay not be so modified. For example, many system services 115 aredefault applications that are provided as part of the base configurationof the computing device 15. The developer of the operating system thatprovides these system services 115 may not permit the system services115 to be converted into secure applications 95. As such, many systemservices 115 may remain as unsecure applications 90 on the computingdevice 15. Accordingly, the operation of a system service 115 may not beamenable to being controlled or managed, as is the case with secureapplications 95. The relevance of this condition will be explainedbelow.

In one embodiment a hub application 120 may be part of the applicationlayer 50. The hub application 120 may serve as a connection point forany number of secure applications 95 to enable the secure applications95 to connect to any suitable external entity, including various networkcomponents. In particular, if a secure application 95 requires aconnection with an external entity, the secure application 95 canrequest the hub application 120 to facilitate the communication. The hubapplication 120 can accept such requests from any of the secureapplications 95, including from a single secure application 95 at a timeor from multiple secure applications simultaneously. In accordance withthe description herein, such a technique can facilitate the accountingof data usage associated with secure applications 95. In one example,the hub application 120 can be a daemon or some other process that runsin the background. Because the hub application 120 accepts requests fromthe secure applications 95, it may be considered as part of the secureworkspace 105 and may not be permitted to accept requests from theunsecure applications 90. As an option, a similar arrangement can bemade for the unsecure applications 90, or, alternatively, the hubapplication 120 can be configured to accept requests from both secureapplications 95 and unsecure applications 90.

In an alternative arrangement, the computing device 15 may containpersonal applications and enterprise applications. In this example, thepersonal applications are designed for the personal interactions of auser, while the enterprise applications may be developed for the work orbusiness interactions of a user. The enterprise applications in thissetting may not necessarily be secure applications 95, as describedherein. In addition, a partition may be implemented in the computingdevice 15 to separate the personal applications from the enterpriseapplications. For example, a user may have separate log-ins for gainingaccess to the personal applications and to the enterprise applications.In this example, separate billing paths may be established for thepersonal applications and the enterprise applications, as is presentedherein.

Referring to FIG. 2, a system 200 that shows the computing device 15 incommunication wife one or more remote servers 205 is shown. One or morecommunication networks 210 may facilitate the communications between thecomputing devices 15 and the remote servers 205. In this example, thecomputing device 15 may be a mobile computing device, although theprinciples described herein may apply to desktop computers or otherfixed equipment. In addition, a mobile computing device may be, forexample, a smartphone, laptop, tablet or other devices that may becarried by an individual. The network(s) 210 may be composed of varioustypes of components to support wireless or wired communications(including both). The network(s) 210 may also be Configured to supportlocal or wide area communications (or both). The remote servers 205 mayhost any number of web sites that offer content that may be retrieved bythe computing device 15 and may also be configured to accept data fromthe computing device 15. Because the servers 205 offer content, they mayalso be referred to as content providers, although the term “contentprovider” is certainly not limited to this particular example.

When operating the computing device 15, a user may wish to access datafrom any one of the remote servers 205. In some cases, the data accessrequest may originate from an unsecure application 90. In the standardflow, the unsecure application 90 may sometimes forward the request to arelevant system service 115. For example, if a user wishes to view avideo associated with one of the remote servers 205 through an unsecureapplication 90, the unsecure application 90 passes the request to amedia player of the computing device 15. The media player then retrievesthe data from the appropriate server 205 and presents such data to theuser.

In the case of a secure application 95, a similar request would normallybe passed to the media player, as well. In addition, the media playerwould conventionally establish a connection with the relevant remoteserver 205 and would present the requested data to the user. But becausethe system services 115 are typically not permitted to be converted intosecure applications 95, implementing the feature of data accounting inthem, as can be done with secure applications 95, may not be possible.In this instance, difficulties are presented in determining thepercentage of data usage that is associated with secure applications 95in comparison to the consumption of data by unsecure applications 90.

A solution is described here, however, that enables such an accountingto take place. In particular, the initial data request from the secureapplication 95 can be intercepted and modified prior to being passed tothe media player. In view of the modification, the media player (orother system service 115) can direct the request back to the secureapplication 95, and a connection can be established between the secureapplication 95 and the appropriate remote server 205 to facilitate theexchange of data between the secure application 95 and the remote server205. This redirection of the request through the secure application 95can enable an accounting of the amount of data that is associated withthis particular session, a feature that can be incorporated into secureapplications 95. Accordingly, an accurate accounting of data usageassociated with at least some or all secure applications 95 on thecomputing device 15 is now possible. As previously mentioned, thecounting of the data associated with a secure application 95 is notlimited to being performed by the secure application 95 or even thecomputing device 15, as the calculation can be performed remotely.

This arrangement can enable an entity to determine the percentage ofdata usage that is attributable to it and to the user on a personalbasis. Because data usage may be segregated between enterprise use andpersonal use, the enterprise may be able to craft more accurate dataplans with wireless carriers or other similar entities. Moreover, theuser, who may own the computing device 15, would understand that theuser would not be charged for data usage associated with that user'swork or business and that the user would only be paying for personaldata consumption.

Referring to FIG. 3, a method 300 of data usage accounting is shown. Themethod 300, however, may include additional or even fewer steps orprocesses in comparison to what is illustrated in FIG. 3. Moreover, themethod 300 is not necessarily limited to the chronological order that isshown in FIG. 3. In describing the method 300, reference may be made toFIGS. 1, 2 and 4, although it is understood that the method 300 may bepracticed with any other suitable systems and components and may takeadvantage of other suitable processes.

At step 305, in a setting that includes both secure applications andunsecure applications, a request to access data can be received via oneof the secure applications in which the request is intended for acontent provider via a system service. The request intended for thecontent provider via the system service can be intercepted, as shown atstep 310. At step 315, the intercepted request can be modified, whichcan cause the system service to direct the request back to the secureapplication instead of the content provider. A connection can beestablished with the content provider for the request through the secureapplication to enable data usage accounting of data that is returned bythe content provider, as shown at step 320. Additionally, at step 325,content from the content provider can be received at the secureapplication, and the received content from the content provider can beforwarded to the system service for processing, as shown at step 330. Anamount of data that is carried over the established connectionassociated with the secure application can be determined, as shown atstep 335.

Referring to FIGS. 1 and 2, a user may wish to access data through, forexample a secure application 95 that is installed on the computingdevice 15. As an example, the user may desire to retrieve some type ofcontent, such as video, through the secure application 95. The contentmay need to be retrieved from one of the remote servers 205.Conventionally, the data access request would be passed to the relevantsystem service 115 and the system service 115 would fetch the contentfrom the remote server 205. Here, however, the data access request maybe intercepted prior to being handled by the operating system and can bemodified to direct the request back to the secure application 95 insteadof the remote server 205. Reference will be made to FIG. 4 to helpexplain this process.

In FIG. 4, an example of an interaction 400 between the secureapplication 95, the system service 115 and the remote server 205 isshown. In the initial step, the data access request is received and isintercepted and modified. In this example, the data access request isfor video that is stored at one of the remote servers 205 that isassociated with a website or some other form of digital content, and thesystem service 115 is a media playback application. As such, inaccordance with earlier discussion, the API that is associated with themedia playback service can be hooked.

Based on conventional techniques, the uniform resource indicator (URI)related to this dam request may be a uniform resource locator (URL) withthe associated content available via the hypertext transfer protocol(HTTP) or the hypertext transfer protocol secure (HTTPS). As part of themodification process, the URL may be changed prior to being passed tothe system service 115. The modification of the URL, in one embodiment,may be based on a port number that is provided by the operating system.For example, the secure application 95 may create a listening socket ona loopback interface by requesting a socket and port number from theoperating system. As is known in the art, the loopback interface cansupport inter-process or inter-app communications on the computingdevice 15. The requested port may be a predetermined value or may besimply a request to the operating system to provide an available portnumber. Continuing with the example, the URL may be converted into alocal-host URL that includes the assigned port number and the rest ofthe information from the original URL. The modified URL may then bepassed across to the system service 115, in this case, the media player.As will be explained later, multiple listening sockets and ports may berequested from the operating system as part of this process.

Consider the following specific but non-limiting example. A user mayselect a link through a secure application 95, which may have thefollowing exemplary URL associated with it:

http://www.youtube.com/watch?v=uWHRqspFke0

As noted earlier, the secure application 95 may request a socket andport value from the operating system, and the port value can factor intothe modified URL. In this example, the original URL may be transformedinto the following local-host URL;

http://localhost:4444?t=www.youtube.com&p=watch&r=v=uWHRqspFke0

Here, the port value “4444” is now part of the URL siring, which cancause the system service 115 to point back to this port created by thesecure application 95. In addition, as can be seen, the originalhostname can be encoded in the “t=” parameter, the original path can beencoded in the “p=” parameter and the original parameters can be encodedin the “r=” parameter. Thus, the modified URL can include the portvalue, and the remote information can be added as parameters in themodified URL. A similar example for an HTTPS request will be presentedbelow.

In some arrangements, as part of this process, the secure application 95can create a proxy when the data is initially requested through thesecure application 95. The proxy can act as the intermediary between thesystem service 115 and the remote server 205. In doing so, the proxy maylisten in on any sockets that were created for the overall modificationof the data access request. As an example, each secure application 95can be individually configured to generate the proxy for relevant datarequests that it receives.

In another arrangement, the secure application 95 may record a copy ofthe information associated with the original data request and can mapthat information to the redirect address that has been created. Forexample, in the example above, the secure application 95 may record theinformation associated with the original URL in any suitable database,such as the memory 70 of FIG. 1, and can map this information to theport that was assigned to the modified URL. This way, the secureapplication 95 can easily determine the original remote server 205 whenit receives the modified URL. In an alternative embodiment, theinformation of the original data request may not need to be stored andmapped to the redirect address. In the URL example, the originalinformation from the URL can simply be obtained from the modified URLbecause the original information may be part of the modifiedinformation.

Moving back to FIG. 4, in the second step, the modified data accessrequest can cause the system service 115 to direct the request back tothe secure application 95, instead of the original remote server 205.That is, the system service 115 will establish a connection with thesecure application 95 via the port that the secure application 95created. In view of the mapping process described above, the secureapplication 95 is able to determine the original data access request andcan establish a connection with the relevant content provider, such asan appropriate remote server 205. In particular, based on the exampleabove, the secure application 95 can determine the original URL requestand can open a connection with the location specified by the originalURL. This process is reflected in the third step of FIG. 4. At thispoint, the secure application 95 can fetch the content from the remoteserver 205 and can return this content to the system service 115 forprocessing, as shown in the fourth step. The user may then consume therequested data similar to a normal session. As will be explained below,there may be scenarios where a similar re-routing process can beperformed to enable data usage tracking but without the invocation of asystem service 115.

As previously noted, the secure application 95 may be configured totrack data usage. In this case, the secure application 95 can determinean amount of data that is carried over the connection that isestablished with the remote server 205. This can include both incoming(i.e., from remote server 205 to secure application 95) and outgoing(i.e., from secure application 95 to remote server 205) content. Forexample, the calculation unit 77 of FIG. 1 can work with the secureapplication 95 to tally the amount of data consumed by this particularsession. In addition, because each session associated with thisparticular secure application 95 can be tracked, a cumulative amount ofdata usage for the secure application 95 over a certain time period canbe determined. This process may also be conducted for all or at leastsome of the other secure applications 95 that are installed on thecomputing device 15. As previously mentioned, the data usage associatedwith the secure applications 95 may also be counted at a location thatis remote to the computing device 15.

If the secure applications 95 are associated with an enterprise, theenterprise can determine the amount of data usage that is tied to eachof its secure applications 95. This feature can enable the enterprise todetermine data usage on the device 15 that is solely attributable to it.As a result, data usage tracking associated with the secure applicationscan be segregated from data usage that originates from the unsecureapplications.

In one embodiment, the connection that is established between the secureapplication 95 and the remote server 205 can be a secure connection. Forexample, as is Known in the art, the secure application 95 can beconfigured to establish virtual private network (VPN) connections withremote locations. Such a VPN connection is individual to the secureapplication 95 and is different from a system-level VPN. If desired,however, the connection between the secure application 95 and the remoteserver 205 is not required to be a secure connection. In addition, inanother embodiment, the secure application 95 may use a system-levelVPN.

The description above may apply to other protocols that facilitate theexchange of data. For example, HTTPS traffic may also be tracked inaccordance with the procedures presented herein. In one embodiment,additional steps can be taken when dealing with HTTPS traffic to ensureaccurate and complete accounting. For example, if a user is accessing anHTTPS link through the secure application 95, the original URL may bemodified similar to the HTTP examples above, but the connection betweenthe system service 115 and the secure application 95 may be left in theopen.

Consider the following example. If an HTTPS request is generated, thesecure application 95 can convert the HTTPS request to an HTTP requestwhen the secure application 95 modifies the URL for purposes ofdirecting the system service 115 back to the secure application 95. Thatis, the secure application 95 can change the connection type of the datarequest from a secure connection to an open connection when the datarequest is modified. Referring back to the URL example above, thefollowing HTTPS URL may be received:

https://www.youtube.com/watch?v=uWHRqspFke0

The secure application 95 can determine that this is an HTTPS requestand can modify the URL. An exemplary conversion is presented here:

http://localhost:4444?s=www.youtube.com&p=watch&r=v=uWHRqspFke0

As reflected in the string, the HTTPS request is convened to an HTTPrequest. As a result, the connection between the system service 115 andthe secure application 95 can be out in the open. As will be explainedbelow, this feature can enable the secure application 95 to handlere-directs from the remote server 205.

As can also be seen in the siring, the “s=” parameter can provide anindication that the original URL was an HTTPS request. Accordingly, whenthe secure application 95 establishes the connection between it and theremote server 205, an HTTPS connection can be created. In other words,the system service 115 may not be responsible for establishing the HTTPSconnection, and the secure application 95 may be in control of anysecurity-related handshaking and getting the encryption keys in place.The session between the secure application 95 and the remote server 205can be a transport layer security (TLS) connection, which can terminateat the secure application 95.

As explained earlier, the secure application 95 may be configured toarrange VPN connections in an individual manner. Such anapplication-level VPN can support any type of traffic that is exchangedbetween the secure application 95 and the remote server 205, includingboth HTTP and HTTPS streams. In other words, the ability of the secureapplication 95 to provide an application-level VPN does not impede theability of the secure application 95 to modify data access requests andthen convert them back to their original form, as described above.Further, these techniques can be practiced if the secure application 95is using a system-level VPN or is not relying on a VPN connection atall.

As is known in the art, some initial data access requests are answeredwith a re-direct, which instructs the requesting source to anotherdestination to retrieve the desired content. For example, in the case ofan HTTP request, the requesting device may receive an HTTP re-directfrom the server, which causes the device to generate another HTTPrequest based on the re-direct destination. In addition, in some cases,a URL playlist may be sent from the server, which may include aplurality of URLs. This particular feature may support HTTPlive-streaming, a protocol that enables a client to select from a numberof different alternate streams containing the same material encoded at avariety of data rates, which can allow the streaming session to adapt tothe available data rate.

In one arrangement, the secure application 95 may be configured toaccount for these re-directs. For example, if the initial data requestis an HTTP request and the remote server 205 returns an HTTP re-direct,the secure application 95 may transform that HTTP re-direct inaccordance with the modification process described above. By doing so,the secure application 95 can ensure that the system service 115establishes the new re-direct connection with the secure application 95.As such, when the secure application 95 detects a re-direct, the secureapplication 95 can request another socket and port from the operatingsystem to account for the new destination that originates from there-direct. The secure application 95 can then open a connection betweenitself and the new (and appropriate) remote server 205. This process canbe expanded to account for re-direct playlists, such that socket/portpairs are generated when needed for the URLs that make up the playlists.

As can be gleaned from this example, the secure application 95 may berequired to detect the re-directs in the incoming streams. If theoriginal data access request is not based on a secure protocol, likeHTTPS, then the secure application 95 is easily able to detect there-directs. If the original request is based on a secure protocol,however, complications may arise because the traffic being streamed tothe system service 115 may be encrypted. As noted above, when dealingwith a secure protocol, the termination point for the secure connectioncan be placed at the secure application 95, not the system service 115.As a result, the secure application 95 can decrypt the incoming trafficand can detect the re-directs, similar to how it would for an unsecureprotocol. Thus, as an example, redirects can be handled for both HTTPand HTTPS.

In some cases, other components may assist in the calculation of datafor purposes of usage accounting. For example, some system services 115may offer notifications based on certain events that may be related todata usage. In one particular example, the secure applications 95 canregister for certain callbacks from the system services 115 that areequipped to provide such notifications. As an example, if a data sessionis initiated through a secure application 95, the system service 115 canprovide one or more notifications that inform the secure application 95of the start of the session and its eventual ending. Statistics relatedto the amount of data that was consumed during the session can beincorporated into the notifications, which the secure application 95 canuse to track its data usage. The overall total usage related to all orat least some of the secure applications 95 can be determined, which canallow the segregation of data consumption between secure and personalprofiles, as described earlier. In this ease, however, the modificationof the data access requests is not required, and the system service mayfetch data in its conventional manner. When available with the systemservices 115, this feature may be useful for data accounting,particularly when application-level VPNs ate not incorporated into thesecure applications 95.

The description herein has been presented primarily in terms of a secureapplication 95 handling the modification of data requests and the datausage tracking. The description, however, is not so limited. Inparticular, these features can be implemented into an unsecureapplication such that data usage can be tracked for these types ofapplications on an individual basis. Similarly, the system service thatis involved in this process is not limited to a media player. In fact,any system service that is involved in the exchange of data with aremote location may be applicable to the description provided herein.For example, other system services that apply here may include a textingapplication, a dialer or any other application that facilitates orotherwise supports voice communications, a video or camera application,or a map application or other application that supports mappingfeatures. In fact, the description herein may apply to any type ofapplication, whether secure or unsecure, that may involve theconsumption of content or the use of services in which it may benecessary to distinguish between personal use of such content andservices and secure or workspace or enterprise use of the content andservices.

In some cases, it may not be necessary to invoke the system service 115to handle a request for a data session. That is, the request for thedata session may not require the launching of a separate application tohandle the request. For example, the secure application 95 may be asecure web browser, through which a user may attempt to retrieve somedata. As is known in the art, in prior art cases, an application maywork with the operating system of a computing device to establish aconnection to an external entity, such as a web server. In a typicalmobile device setting, the application may be configured to generatecalls for an application programming interface (API) defined by theportable operating system interface (POSIX). In response, the operatingsystem can establish a connection to the external entity on behalf ofthe application.

Similar to the description above, techniques can be implemented thatenable secure applications 95 to have such calls natively redirectedback to them for the purpose of establishing a connection with theappropriate external entity and for enabling an accounting of the datasession. This process can also make possible a scheme in which datausage for secure applications 95 is counted separately from thatassociated with unsecure applications 90.

Referring to FIG. 5, a method 500 for enabling data usage accounting isshown. The method 500, however, may include additional or even fewersteps or processes in comparison to what is illustrated in FIG. 5.Moreover, the method 500 is not necessarily limited to the chronologicalorder that is shown in FIG. 5. In describing the method 500, referencemay be made to the drawings attached hereto, although it is understoodthat the method 500 may be practiced with any other suitable systems andcomponents and may take advantage of other suitable processes.

At step 505, a request for a data session can be received through asecure application, and at step 510, in response, a listening socket canbe created. The request for the data session can be intercepted, asshown at step 515, and the request for the data session can be modifiedto cause the request to be re-directed back to the secure application,as shown at step 520. At step 525, a connection can be initiated toenable retrieval of the data in response to the request and anaccounting of the data session. At step 530, the listening socket can betorn down. In addition, at decision block 535, it can be determinedwhether a connection with a Wi-Fi network is in place. If no, the method500 can resume at decision block 535. If yes, a setting can be activatedthat prevents the request for the data session from being interceptedand modified, as shown at step 540.

To help explain the method 500, reference will be made to FIG. 6, whichpresents an example of an interaction 600 between a secure application95 and the system server 40 with the secure framework 45 facilitatingthe operation. Although the secure framework 45 may be considered partof and can work in conjunction with the secure application 95 to carryout the operations described herein, reference may in some cases be madesolely to the secure application 95 when explaining this interaction 600for purposes of convenience. Initially, a user may be interacting withthe secure application 95, and the user may wish to retrieve somecontent from, for example, an external entity. As noted earlier, thecomputing device 15 may have both secure applications 95 and unsecureapplications 90 installed thereon.

In response to the user interaction, the secure application 95 maygenerate a request for a data session. As an example, the request may bea POSIX connect call, although the principles outlined herein are notlimited to such an arrangement. This request may include addressinginformation that is intended to be used to establish the connection withthe external entity. Examples of addressing information include thefollowing arguments: socket (specifies the file descriptor associatedwith the socket); address (points to a sockaddr structure containing thepeer address); and address_len (specifies the length of the sockaddrstructure pointed to by the address argument. Other exemplary argumentsand parameters may also be applicable here. In addition, the term“addressing information” is defined as data that is configured tofacilitate or enable a connection with one or more destinations. Thisrequest may be from the secure application 95 or the system frameworkassociated with the secure application 95. In either case, in response,the secure application 95 can generate a listening socket on theloopback interface—similar to the procedures previously described. Inone arrangement, the listening socket can be a temporary socket in thatit can be torn down once it serves its purpose of establishing aconnection through the secure application 95.

Once the listening socket is created, the secure application 95 canintercept the request for the data session. This interception can occurbecause the secure framework 45 can be shimmed between the systemframework and the operating system and can be configured to recognizepredetermined calls for modification or other processing, while allowingothers to pass unfettered. In any event, the data session request can bemodified by re-writing portions of the request based on thenewly-created listening socket. For example, the addressing informationof the connect call may be re-written with the addressing informationassociated with the listening socket. As shown in FIG. 6, the modifieddata session request can then be passed to the system server 40. Thismodified call may still be in the native format, or in the form that isnormally used by the secure application 95 and other applications on thecomputing device 15 to make calls to the operating system. That is, thenative version of the relevant function can be called at this stage,where it is modified to include the new addressing information for thelistening socket.

As part of the modification process, the original addressing information(or at least some portion or it) can be stored and assigned to thelistening socket. The original addressing information includes the finaldestination address and can be used to establish the intendedconnection, as will be explained below. As another part of this process,a return can be generated to inform the system framework or the secureapplication 95 that the requested connect is in progress.

When the operating system receives the data session request, theoperating system can redirect the data session request back to thesecure application 95, as opposed to the intended final destinationaddress. In particular, the data session request is returned to thelistening socket based on the re-written addressing information thatreplaced the original addressing information. In this case, theoperating system can wire up a connection between the relevant socket ofthe secure application 95 and the listening socket through the loopbackinterface. Once the redirected connection is established on thelistening socket, the secure application 95 can retrieve the originaladdressing information and can initiate and establish the connectionwith the external entity, using the original addressing information.Specifically, a connect socket can be generated, and this connect socketcan be used to establish a connection with the appropriate socket of theexternal entity. Further, once the connection with the intended externalentity has been initiated (or completed), the secure application 95 cantear down the listening socket to return system resources.

In this case, similar to the process associated with the system serviceredirection described above, the redirection here can be transparent tothe secure application 95 or the system framework. That is, no changesare required to be made to the secure application 95 or the systemframework to enable the interception and modification of the datasession request. These objects can continue to make their native callswhen seeking to exchange data with an external entity, and they areunaware that their calls are being manipulated in this manner. The terms“transparent redirection of a request” or “transparently redirecting arequest” are defined as a redirection of a request in which the sourceof the request is unaware of its redirection, and examples of a requestinclude a call, command or function. The terms “native redirection of arequest” or “natively redirecting a request” are defined as aredirection of a request in which the source of the request maintainsits reliance on native or pre-existing protocols or structure togenerate or to facilitate the request.

The connection between the secure application 95 and the external entitymay support various types of formats or protocols. In some cases, theconnection to the external entity may be through an application-levelvirtual private network (VPN), as the secure application 95 may beconfigured to provide such a feature. The connection may also utilize asystem-level VPN, if desired. In this case, the socket of the externalentity can be the appropriate socket of the VPN, as opposed to a nativesocket for the back-end location. Moreover, the connection with theexternal entity is not necessarily limited to being a secure connection,as unsecure connections may be used.

As noted earlier, the computing device 15 in which the previouslydescribed techniques may be practiced may include a Wi-Fi communicationsstack. The Wi-Fi stack can enable the device 15 to exchange data withexternal entities over a Wi-Fi network using any of the protocols withinthat family for which the device 15 is configured. In some cases, it maynot be necessary to track data usage associated with secure applications95 (or even unsecure applications 90) when the device 15 is camped on aWi-Fi network. In fact, it may not be necessary to do so when the device15 is operating on any non-cellular network or other networks that donot bill users for access. In this instance, when the device 15 is usinga Wi-Fi network or other non-billable or free network for data access, asetting in the device may be activated to prevent the process ofredirecting data access requests. That is, because users are typicallypermitted to access Wi-Fi networks for free, it may not be necessary totrack data usage when the device 15 is using such a network, therebyobviating the need to intercept and modify the data access requests inaccordance with the processes described above. When the computing device15 leaves the Wi-Fi network and returns to the billing network, thesetting can be deactivated, and the process of data usage counting canbegin again.

In another arrangement, the tracking of data usage may be limited to aparticular network, such as a predefined cellular network. Thus, theprocesses described herein may only be executed on this predeterminednetwork. When the computing device 15 is operating on any other network,the redirection process may not be carried out. For example, if thecomputing device 15 is roaming on a network, or operating on a networkthat is not its home network, the setting that prevents the redirectionprocess may be activated, even though use of the roaming network maycause the user to incur data usage charges. Nonetheless, if desired,data usage tracking based on the techniques described herein may beconducted on roaming networks or Wi-Fi or other free-access networks.

As previously noted, the counting or calculation of data can beperformed at a location that is remote to the computing device 15. Forexample, an arrangement may be configured in which certain data sessionsare facilitated by a remote relay to enable data tracking at the relayor some other suitable location. Referring to FIG. 7, an example of asystem 700 that enables data usage accounting through a relay isillustrated. The system 700 can include one or more computing devices15—which may have both unsecure applications 90 and secure applications95 installed thereon—and one or more remote servers 205. The remoteservers 205 and the computing devices 15 may exchange various forms ofdata with one another. Similar to FIG. 2, one or more networks 210 mayfacilitate the exchange of data between the computing devices 15 and theremote servers 205. The network(s) 210 may be composed of various typesof components to support wireless or wired communications (includingboth). The network(s) 210 may also be configured to support local orwide area communications (or both).

In one arrangement, the network 210 may include one or more relayservers 705, and at least some of the relay servers 705 may include acalculation unit 710. The calculation unit 710 may be a part of therelay server 705 or may be an independent component that iscommunicatively coupled to the relay server 705. In either case,connections may be established between any of the relay servers 705 andany of the computing devices 15 and between any of the relay servers 705and any of the remote servers 205. As will be explained further below,when such connections are established, the data that is transferredbetween the computing devices 15 and the remote servers 205 may becalculated or counted, such as by the appropriate calculation units 710.To enable the segregation of data usage accounting between enterpriseand personal use, such tracking may only be conducted for secureapplications 95 or other processes associated with the enterprise andnot the user's personal activities.

As mentioned above, there may be numerous networks 210 involved tohandle the exchange of data between the computing devices 15 and theremote servers 205. The relay servers 705, however, may be associatedwith a predetermined network, such that the computing device 15 isdirected to a server 705 in this particular network 210. Moreover, theuse of the relay servers 705 (and hence, the calculation units 710) maybe selective in nature. For example, this arrangement may only beutilized for secure applications 95 and when the computing device 15 iscamped on a certain network 210 for service, such as a predeterminedcellular network.

Referring to FIG. 8, a method 800 of enabling data usage accountingthrough a relay is illustrated. The method 800, however, may includeadditional or even fewer steps or processes in comparison to what isillustrated in FIG. 8. Moreover, the method 800 is not necessarilylimited to the chronological order that is shown in FIG. 8. Indescribing the method 800, reference may be made to the drawingsattached hereto, although it is understood that the method 800 may bepracticed with any other suitable systems and components and may takeadvantage of other suitable processes.

At step 805, on a computing device that has secure applications andunsecure applications installed thereon, a request for a data sessioncan be received through a secure application. The request may include afinal endpoint. At step 810, the request for the data session can beintercepted, and the request can be modified to cause the request to beredirected back to the secure application, as shown at step 815. At step820, a connection can be initiated with a relay server instead of thefinal endpoint such that data usage accounting for the data session isto be conducted at a remote location.

In addition, at step 825, the computing device can be authenticated withthe relay server prior to permitting data exchange between the secureapplication and the relay server. At step 830, the final endpoint can beprovided to the relay server to enable the relay server to establish aconnection with the final endpoint. At step 835, data from the secureapplication may be buffered while the connection with the relay serveror the final endpoint is being established. Data associated with thefinal endpoint may be counted such that a data usage amount isdetermined for the requesting secure application, as shown at step 840.At step 845, a report can be generated that details the data usage ofthe secure applications installed on the computing device. Additionally,at decision block 850, it can be determined whether the computing deviceis operating on a Wi-Fi communication network. If not, the method 800can resume at decision block 850. If yes, in response to such adetermination, a setting can be activated that prevents the data sessionrequest to be redirected back to the secure application and theinitiation Of the connection with the relay server, as shown at step855.

To help explain the method 800, reference will be made to FIG. 9, whichshows an example of an interaction 900 among a secure application 95(along with the secure framework 45), a relay server 705 (andcalculation unit 710) and a remote server 205. As previously explained,the secure framework 45 may be considered to be part of the secureapplication 95, and the calculation unit 710 may be part of the relayserver 710, although other suitable arrangements may apply to theseprinciples.

As an example, a user may initiate a data session request through asecure application 95, which may be intercepted and modified to beredirected back to the secure application 95. This process may besimilar to the exemplary techniques described above with respect tore-writing URLs and addressing information. That is, the secureapplication 95, via the secure framework 45, may set up a listeningsocket on a loopback interface, and the relevant data can be re-writtento cause the request to be redirected to the listening socket. Here,however, the secure application 95 can initiate a connection with therelay server 705. The relay server 705, which can be any suitablecombination of hardware and software, can be used to initiate andestablish a connection with the final endpoint of the data sessionrequest, which may be the remote server 205.

For example, when the data session request is intercepted, the secureapplication 95 can re-write the addressing information of the requestwith the addressing information of the listening socket of the loopbackinterface and can store the replaced addressing information. The storedaddressing information may be the addressing information of the finalendpoint. As before, a return can be generated to inform the systemframework or the secure application 95 that the requested connect is inprogress. When the operating system establishes the connection betweenthe socket of the secure application 95 and the listening socket, thesecure application 95 may then generate an accepted or connected socket.The connected socket may enable data to be passed to and from the secureapplication 95 through the loopback interface. As an example, after theconnected socket is generated, the listening socket may be torn down topreserve system resources, although such a step may be bypassed in othercircumstances.

In one arrangement, when the connection is accepted on the listeningsocket, the secure application 95 may generate a back-end socket forinitiating and establishing the connection with, for example, theappropriate relay server 705, which may be listening for connections onits public IP address. As part of initiating the connection with therelay server 705, the connection protocol with the relay server 705 maybe negotiated, which may include authentication of the computing device15 or some other process, service or component that is part of thedevice 15. As an example, the IP address of the computing device 15 maybe provided to enable the authentication of the device 15.

While the connection between the secure application 95 and the relayserver 705 is being negotiated, any data that may be generated by thesecure application 95 may be buffered, at least until, for example, theconnection with the relay server 705 is established. In particular, theconnection between the relevant socket of the secure application 95 andthe connected socket of the loopback interface may be operatively thesame as a connection with a final endpoint. In view of this connection,a one-to-one mapping between the socket of the secure application 95 andthe connected socket may exist. As such, the secure application 95 maybehave naturally and to support this feature, any portion of the datagenerated by the secure application 95 during the negotiation with therelay server 705 can be saved for eventual transmission to the relayserver 705.

In one arrangement, once the connection with the relay server 705 isestablished, the secure application 95 can send the final endpoint ofthe data session request to the relay server 705. For example, thesecure application 95 may, in accordance with the protocol of the relayserver 705, package the addressing information of the final endpoint aspart of a payload for the relay server 705. In one arrangement, anybuffered data from the secure application 95 may be sent to the relayserver 705. The relay server 705 can establish the connection with theremote server 205 (i.e., final endpoint) on behalf of the secureapplication 95. If necessary, the relay server 705 may also buffer dataduring its negotiation with the remote server 205. Once the connectionis established between the relay server 705 and the remote server 205,data exchanges may occur between the secure application 95 of thecomputing device 15 and the remote server 205, via the relay server 705.In an alternative arrangement, the buffered data may be held at thecomputing device 15 until the connection between the relay server 705and the remote server 205 is completed.

Eventually, the data session may end, either through the secureapplication 95, the relay server 705, the remote server 205 or someother process or component. In either case, the components/processes maytear down the connections and release any relevant system resources. Asan example, the secure application 95 may close the loopback interface(and any associated sockets) in the event the session is completed.These principles may also apply in the event that any of the connectionsare unable to be established in response to the initial request.

As noted previously, uniform resource locators (URL) may be re-written,particularly in the case of calls being made to a system service 115.The process of establishing the connection with the relay server 705 andthe remote server 205 is similar to that described above. In this case,however, during the time the connection with the relay server 705 isbeing established, the secure application 95 can perform a domain namesystem (DNS) look-up of the original host name to determine theappropriate IP address for the final endpoint. Once the IP address isretrieved and the connection with the relay server 705 is established,the secure application 95 can provide the IP address as part of theaddressing information that is packaged and sent to the relay server705. That is, the re-written URL may be resolved into an address thatcan be used to establish the connection with the appropriate remoteserver 205 through the relay server 705.

In either arrangement, any data that is exchanged between the secureapplication 95 and the remote server 205 may be routed through the relayserver 705. As such, the relay server 705 can be configured tofacilitate the remote tracking of data usage for the secure application95 for this exchange, as well as other sessions in the future. Forexample, the calculation unit 710 may determine the data usage for thesecure application 95, as well as other secure applications 95, and cangenerate one or more reports that indicate the details of such usage. Asan example, the data usage can be correlated with a particular computingdevice 15 through the received IP address of the device 15. The reportcan include usage totals on an individual or group basis for any numberof secure applications 95. These reports may then be disseminated to therelevant parties for purposes of billing.

As illustrated here, a relay scheme can be leveraged to enable remotedata counting for the computing device 15. There are other alternatives,however, that may apply. For example, the counting of the data based onthe exchanges with the external entity may be performed at the computingdevice 15, such as through the secure application 95 that requested thesession or a hub application 120 (see FIG. 1). Moreover, the calculationunits 710 may not necessarily be at the same location as the relayservers 705, as the units 710 may be remote to both the computing device15 and the relay servers 705. In addition, any number of calculationunits 710 may be associated with any number of relay servers 705. Infact, these components may be grouped together in any suitable fashion.For example, any number of relay servers 705 and calculation units 710may be grouped together for an enterprise in which the users of thecomputing devices 15 being tracked are associated with the enterprise,such as employees of the enterprise. These groupings may be isolatedfrom one another to prevent comingling of data streams associated withdifferent enterprises to ensure accurate billing.

As explained earlier, this process of establishing a connection with arelay server 705 to enable data exchange with a final destination andfor tracking and counting the data associated with such sessions may berestricted to secure applications 95, such as those installed on thecomputing device 15. As such, this procedure may not be performed forany data sessions associated with unsecure applications 90. Because thesecure applications 95 may likely be associated with or sponsored by anenterprise, the process presented here can allow for separate data usagecharges for the computing device 15 with respect to a user's personaldata and that affiliated with, for example, the user's employer. Ofcourse, such an arrangement may be implemented for any application,including individual applications or for certain groups of applications,and may not necessarily be limited only to secure applications 95.

In another arrangement, the process of establishing the connection withthe relay server 705 as described above may be transparent to the secureapplication 95. As another example, this connection may be based on aprotocol that is non-native to the secure application 95. As is known inthe art, a secure application 95 is created from a target applicationthat is typically available to one or more parties for download, such asthrough an app store or some other electronic storefront. The originalportions of the target application that make up the secure application95 may be unaware of the connection with the relay server 705 and suchportions may continue to make calls in their native formats. Thisprinciple also applies to the system framework. The secure framework 45of the secure application 95, however, may be configured to abstract thenecessary calls and protocol associated with establishing the connectionwith the relay server 705. As such, the original developer is relievedof having to change any of the original code to facilitate the relayingarrangement or to operate in accordance with the non-native protocol ofthe relay server 705.

In one embodiment, the protocol for the connection to the relay server705 can be configured to traverse firewalls or other security featuresto permit access to protected internal resources. For example, thisconnection may be based on a layer 4 solution (transport) per the opensystems interconnection (OSI) model, as opposed to tunneling ornetworking technologies associated with layer 3 of the OSI model. Thisarrangement reduces the complexities of the connection because there areno addressing resolution issues, as would be the case for a VPNsolution. This is, the transport layer solution obviates the need todeploy a networking infrastructure, and the non-native protocol can beresolved by the secure framework 45. Almost any type of data may flowover the relay connection, as well, including encrypted and unencryptedtraffic.

The secure application 95 may be configured to connect to an externalentity in multiple ways. For example, the secure application 95 may useblocking or non-blocking sockets or transmission control protocol (TCP)or user datagram protocol (UDP) connections. The solutions presentedhere can accommodate all or at least a portion of the possible ways asecure application 95 may be designed to connect to the external entity.That is, the secure framework 45 may be constructed to intercept thevarious networking calls of the secure application 95 and to perform theredirects and connection-initiation with the relay server 705 inaccordance with the protocol of the relay server 705, as describedabove. Thus, in one arrangement, a plurality of predetermined disparatenetworking calls or functions of the secure applications 95 that arebased on various connection modes may be identified. These calls orfunctions may then be manipulated when they are activated in accordancewith the descriptions above to permit data exchange over a relayconnection that is based on a single connection mode.

In some cases, the execution of this relaying process may hinge on thetype of network to which the computing device 15 is connected. Forexample, if the computing device 15 is camped on a Wi-Fi network or someother public, private or free access network, a setting may be activatedthat prevents the data session request from being redirected back to thesecure application or the initiation of the connection with the relayserver 705, or both. In addition, the relaying process may only beconducted if the computing device 15 is camped on a predeterminednetwork, such as its home cellular network. As such, if the device 15 isroaming, the setting described above may be activated. Of course, theseembodiments are not meant to be limiting, as the techniques presentedhere may be applicable to any one of the networks with which thecomputing device 15 may conduct communications.

While various embodiments have been described above, it should beunderstood that they have been presented by way of example only, and notlimitation. It will be understood by those skilled in the relevantart(s) that various changes in form and details may be made thereinwithout departing from the spirit and scope of the subject matter asdefined in the appended claims. Accordingly, the breadth and scope ofthe present subject matter should not be limited by any of theabove-described exemplary embodiments, but should be defined only inaccordance with the following claims and their equivalents.

The flowchart and block diagrams in the figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments. In this regard, each block in the flowchart or blockdiagrams may represent a module, segment, or portion of code, whichcomprises one or more executable instructions for implementing thespecified logical function(s). It should also be noted that, in somealternative implementations, the functions noted in the block may occurout of the order noted in the figures. For example, two blocks shown insuccession may, in fact, be executed substantially concurrently, or theblocks may sometimes be executed in the reverse order, depending uponthe functionality involved.

1-13. (canceled)
 14. A computing device that is configured to supportsegregated data usage accounting, comprising: a display that isconfigured to display both personal applications and enterpriseapplications that are installed on the computing device; and aprocessing unit that is communicatively coupled to the display, whereinthe processing unit is configured to: detect a data session request froman enterprise application among the enterprise applications to exchangedata with an external entity; redirect the data session request from theexternal entity to a relay component over a computer network, the relaycomponent being configured to facilitate the data session requestbetween the enterprise application and the external entity and toperform a remote enterprise data usage accounting for the data sessionrequest; and authenticate the computing device with the relay componentto establish a connection with the relay component.
 15. The computingdevice according to claim 14, wherein the processing unit is furtherconfigured to re-write addressing information associated with the datasession request to cause redirection of the data session request fromthe external entity to the relay component.
 16. The computing deviceaccording to claim 14, wherein the processing unit is further configuredto redirect the data session request to the relay component using aprotocol that is non-native to the enterprise application.
 17. Thecomputing device according to claim 14, wherein the processing unit isfurther configured to: determine that the computing device is operatingon a predetermined cellular network; and redirect the data sessionrequest from the external entity to the relay component in response tothe computing device operating on the predetermined cellular network.18. The computing device according to claim 14, wherein the processingunit is further configured to: detect a second data session request fromthe enterprise application to exchange data with a second externalentity; determine that the computing device is operating on a Wi-Finetwork; and direct the second data session request to the secondexternal entity in response to the computing device operating on theWi-Fi network.
 19. The computing device according to claim 14, whereinthe processing unit is further configured to: detect a second datasession request from a personal application among the personalapplications to exchange data with a second external entity; and directthe second data session request to the second external entity.
 20. Thecomputing device according to claim 14, wherein the computing device isconfigured to support a secure workspace that isolates the enterpriseapplications from the personal applications on the computing device. 21.The computing device according to claim 14, wherein the relay componentis configured to perform both the data session request and the remoteenterprise data usage accounting.
 22. The computing device according toclaim 14, wherein: the data session request includes a final endpointfor retrieval of content; and the processing unit is further configuredto provide the final endpoint to the relay component to enable the relaycomponent to establish a connection with the final endpoint.
 23. Amethod to support segregated data usage accounting, comprising: havingat least one personal application and at least one enterpriseapplication installed on a computing device; detecting a data sessionrequest from the at least one enterprise application to exchange datawith an external entity; redirecting the data session request from theexternal entity to a relay component over a computer network, the relaycomponent being configured to facilitate the data session requestbetween the at least one enterprise application and the external entityand to perform a remote enterprise data usage accounting of the datasession request; and authenticating the computing device with the relaycomponent to establish a connection with the relay component.
 24. Themethod according to claim 23, wherein the redirecting comprisesre-writing addressing information associated with the data sessionrequest to cause redirection of the data session request from theexternal entity to the relay component.
 25. The method according toclaim 23, wherein the redirecting comprises redirecting the data sessionrequest to the relay component using a protocol that is non-native tothe enterprise application.
 26. The method according to claim 23,further comprising: determining that the computing device is operatingon a predetermined cellular network; and redirecting the data sessionrequest from the external entity to the relay component in response tothe computing device operating on the predetermined cellular network.27. The method according to claim 23, further comprising: detecting asecond data session request from the enterprise application to exchangedata with a second external entity; determining that the computingdevice is operating on a Wi-Fi network; and directing the second datasession request to the second external entity in response to thecomputing device operating on the Wi-Fi network.
 28. The methodaccording to claim 23, further comprising: detecting a second datasession request from a personal application among the personalapplications to exchange data with a second external entity; anddirecting the second data session request to the second external entity.29. The method according to claim 23, wherein the relay component isconfigured to perform both the data session request and the remoteenterprise data usage accounting.
 30. The method according to claim 23,wherein: the data session request includes a final endpoint forretrieval of content; and the method further comprises providing thefinal endpoint to the relay component to enable the relay component toestablish a connection with the final endpoint.
 31. A computing devicethat is configured to support segregated data usage accounting,comprising: a display that is configured to display both unsecureapplications and secure applications that are installed on the computingdevice, wherein the secure applications are designated for data usageaccounting; and a processing unit that is communicatively coupled to thedisplay, wherein the processing unit is configured to: detect a datasession request from a secure application among the secure applicationsto exchange data with an external entity; redirect the data sessionrequest from the external entity to a relay component over a computernetwork, the relay component being configured to facilitate the datasession request between the secure application and the external entityand to perform a remote data usage accounting of the data sessionrequest; and authenticate the computing device with the relay componentto establish a connection with the relay component.
 32. The computingdevice according to claim 31, wherein the processing unit is furtherconfigured to re-write addressing information associated with the datasession request to cause redirection of the data session request fromthe external entity to the relay component.
 33. The computing deviceaccording to claim 31, wherein: the data session request includes afinal endpoint for retrieval of content; and the processing unit isfurther configured to provide the final endpoint to the relay componentto enable the relay component to establish a connection with the finalendpoint.